CVE-2023-36812: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
(updated )
OpenTSDB is a open source, distributed, scalable Time Series Database (TSDB). OpenTSDB is vulnerable to Remote Code Execution vulnerability by writing user-controlled input to Gnuplot configuration file and running Gnuplot with the generated configuration. This issue has been patched in commit 07c4641471c
and further refined in commit fa88d3e4b
. These patches are available in the 2.4.2
release. Users are advised to upgrade. User unable to upgrade may disable Gunuplot via the config optiontsd.core.enable_ui = true
and remove the shell files mygnuplot.bat
and mygnuplot.sh
.
References
Detect and mitigate CVE-2023-36812 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →